The vulnerability lies in Keycloak’s XMLSignatureUtil class, which incorrectly verifies SAML signatures, disregarding the vital “Reference” element that specifies the signed portion of the document.